US8806645B2 - Identifying relationships between security metrics - Google Patents
Identifying relationships between security metrics Download PDFInfo
- Publication number
- US8806645B2 US8806645B2 US13/078,440 US201113078440A US8806645B2 US 8806645 B2 US8806645 B2 US 8806645B2 US 201113078440 A US201113078440 A US 201113078440A US 8806645 B2 US8806645 B2 US 8806645B2
- Authority
- US
- United States
- Prior art keywords
- metric
- definitions
- network system
- security
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 238000000034 method Methods 0.000 claims description 55
- 230000000875 corresponding effect Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 17
- 230000002596 correlated effect Effects 0.000 claims description 13
- 230000001419 dependent effect Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 38
- 238000004590 computer program Methods 0.000 description 12
- 239000003795 chemical substances by application Substances 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000013515 script Methods 0.000 description 8
- 238000005067 remediation Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 5
- 238000001514 detection method Methods 0.000 description 5
- 238000005259 measurement Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 208000015181 infectious disease Diseases 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000009385 viral infection Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Definitions
- This specification relates to identifying relationships between security metrics that estimate the security of a system of assets.
- Each asset in a system of assets is a computer or other electronic device.
- a system of assets can be connected over one or more networks.
- a home might have five assets, each of which are networked to each other and connected to the outside world through the Internet.
- a business might have three physically separate offices, each of which has many assets. The assets within each office and the assets across the offices can be connected over a network.
- the security of a system of assets is derived from the risk that threats could attack different assets in the system.
- Each asset in the system of assets can be at risk from multiple threats at any given time.
- Each threat corresponds to a potential attack on the asset by a particular virus, malware, or other unauthorized entity.
- An attack occurs when the unauthorized entity exploits a known vulnerability of the asset in an attempt to access or control the asset.
- Some threats have known remediations that, if put in place for an asset, eliminate or reduce the risk that the threat will affect the asset. Some threats do not have known remediations.
- one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time; receiving a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system; calculating, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system; comparing the scores for each metric over the period of time to identify one or more relationships between the plurality of metric definitions; and selecting
- Another innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time; receiving a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system; calculating, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system; comparing the scores for the metrics over the period of time to identify one or more relationships between the plurality of metric definitions; presenting a graphical
- Key performance indicators are metrics that are identified as being important to represent the state of the environment, and help identify important data within a sea of unimportant metrics. Key performance indicators that correlate well with many system security metrics can be used. This reduces the number of security metrics a user has to follow and interpret. Key performance indicators can be selected from security metrics that are customized to the system itself, or user preferences, rather than from off-the-shelf security metrics. Users can visualize and better understand relationships between different security metrics, which facilitates interpretation of the data.
- FIG. 1 illustrates an example asset system monitored by a metric system.
- FIG. 2 illustrates an example of the data used by the metric system and the sources of the data used by the metric system.
- FIG. 3 is a flow diagram of an example process for selecting candidate key performance indicators from metric definitions.
- FIG. 4 is a flow diagram of an example process for identifying and presenting relationships between security metrics to users.
- FIG. 5A is an example graphical user interface presenting three candidate key performance indicators.
- FIG. 5B is an example graphical user interface presenting a candidate key performance indicator along with three related security metrics.
- FIG. 5C is an example graphical user interface presenting a key performance indicator with baseline and goal reference points.
- FIG. 5D is an example graphical user interface presenting a key performance indicator relative to an industry standard.
- FIG. 6 is an example graphical user interface presenting two security metrics and details on the relationship between the two security metrics.
- FIG. 1 illustrates an example asset system 100 monitored by a metric system 102 .
- the assets 104 in the system 100 are connected to each other, and optionally to other systems, by a network 106 .
- Each asset 104 can be vulnerable to one or more threats, e.g., possible attacks. These threats include, for example, viruses, malware, and other unauthorized attacks. Each asset can be protected by a variety of countermeasures including passive countermeasures and active countermeasures.
- agent-based sensors 108 are monitored by agent-based sensors 108 and network-based sensors 110 .
- agent-based sensor 108 a is installed on asset 104 a
- agent-based sensor 108 b is installed on asset 104 c
- agent-based sensor 108 c is installed on asset 104 e .
- the agent-based sensors 108 run various analyses on their respective assets 104 , for example, to identify vulnerabilities on the assets 104 or to identify viruses or other malware executing on the assets 104 .
- the agent-based sensors 108 can also generate other data about the assets or the operation of the assets, for example, a number of suspicious programs operating on a user computer asset at a given time, a number of spam e-mails an e-mail server asset detects in a given day, etc.
- Agent based sensors can also detect additional features, states and software, such as improper configuration, missing patches, malware, asset information (OS, network connectivity), user information, weak passwords, improper file or directory permissions, etc.
- Example agent-based sensors include antivirus software, host intrusion prevention software, configuration management software that precludes changing of certain files, file integrity monitors, network access control software that controls access to a network, etc. These features can be implemented in separate software components or bundled into several (or even one) software component.
- the network-based sensors 110 are hardware devices and/or software in a data communication path between assets 104 protected by the sensor and the network resources that the asset is attempting to access.
- sensor 110 a is connected to assets 104 a and 104 b
- sensor 110 b is connected to assets 104 c , 104 d , and 104 e .
- FIG. 1 illustrates a single network-based sensor 110 in a communication path with each asset, other configurations are possible.
- multiple network-based sensors 110 can be connected to the same asset 104 , and some assets 104 may not be connected to any network-based sensors 110 .
- An example network-based sensor includes one or more processors, a memory subsystem, and an input/output subsystem.
- the one or more processors are programmed according to instructions stored in the memory subsystem, and monitor the network traffic passing through the input/output subsystem.
- the one or more processors are programmed to take one or more protective actions on their own, or to query a sensor control system (not shown) and take further actions as instructed by the metric system 102 .
- Example network based sensors include network access control systems, firewalls, routers, switches, bridges, hubs, web proxies, application proxies, gateways, mail filters, virtual private networks, intrusion prevention systems and intrusion detection systems, etc.
- the sensor When an asset 104 tries to send information through the network 106 or receive information over the network 106 through a network-based sensor 110 , the sensor analyzes information about the asset 104 and the information being sent or received and generates data about the information. The network-based sensor also determines whether to allow the communication.
- the overall security of the asset system 100 depends on the overall security of the individual assets in the system. However, quantitatively measuring the security of an asset system can be difficult. Different security metrics will often give different pictures of a system's security. To help system administrators (and other users) gain a manageable sense of their system's security, the metric system 102 evaluates relationships between various security metrics and identifies one or more key performance indicators from the metric definitions. Each key performance indicator is a metric definition that represents the security of the network system as a whole, e.g., represents a metric definition that is related to the performance of other metrics in a way that the key performance indicator is indicative of the one or more other metrics.
- the metric system 102 also allows users to visualize relationships, e.g., correlations, between different security metrics. This can help users develop an intuitive understanding of relationships between security metrics.
- FIG. 2 illustrates an example of the data used by the metric system 102 and the sources of the data used by the metric system 102 .
- the metric system 102 receives security information data 202 and metric definition data 204 from various sources to determine the key performance indicators.
- the metric system receives the security information data 202 from security information data sources 206 and receives the metric definitions 204 from metric definition sources 208 .
- the security information data 202 includes values of one or more security signals for the system over time, and the metric definitions 204 define heuristics for calculating a score for the network system for one or more security signals at a particular time. The score quantifies a security metric for the network system.
- Security information data 202 and metric definitions 204 are described in more detail below.
- the security information data 202 is data describing one or more aspects of assets in the system.
- the security information data 202 can be data specific to individual assets, groups of assets, or the system of assets as a whole.
- the security information data 202 can be data describing the operation of the assets, e.g., details on the number of viruses found on assets or the number of spam e-mails received by assets.
- the security information data 202 can also be data describing vulnerabilities detected on assets in the system, or data describing countermeasures protecting assets in the system.
- the security information data 202 can also be external data describing aspects of the assets in the system that are external to the system itself, for example, how much insurance there is for particular assets in the system.
- the security information data 202 is received from one or more security information data sources 206 .
- the security information data sources 206 are one or more data aggregators.
- a data aggregator is one or more servers that receive security information data, aggregate the data, and format the data in a format useable by the metric system 102 .
- the data aggregators can receive security information data from the assets themselves or from the sensors monitoring the assets.
- Example data aggregators include Mcafee ePolicy Orchestrator®, available from McAfee of Santa Clara, Calif., and Active Directory®, available from Microsoft Corporation of Redmond, Wash.
- the security information data source(s) 206 are the assets and/or sensors themselves.
- the security information data sources 206 can be internal security information data sources, external security information data sources, or both internal and external security information data sources.
- Internal security information data sources are sources provided by a same provider as the provider of the metric system 102 . For example, if the metric system is a product sold by Company A, then any security information data sources also produced by Company A would be internal security information data sources.
- External security information data sources are sources provided by a different provider than the provider of the metric system 102 . For example, if the metric system is a product sold by Company A, then any security information data sources not produced by Company A would be external security information data sources.
- the system receives data from external data sources using different protocols than the protocols the system uses to receive data from internal data sources. For example, the system can automatically receive data pushed from internal data sources, whenever the internal data sources want to send the data, and can pull data from external data sources only when the monitoring system 102 needs additional data.
- the system authenticates the security information data source 206 , for example using conventional authorization techniques, to confirm that the security information data source 206 is authorized to send data to the metric system 102 .
- the metric definition data 204 is received from one or more metric definition sources 208 .
- the metric definition data 204 defines one or more security metrics by use of metric definitions.
- Each security metric has a value that is a measurement, or a value derived from multiple measurements, that quantifies the security of the system.
- the security metrics are generally designed to measure the overall security provided within the system, as opposed to the security provided by any particular sensor or countermeasure active on the network.
- the security metrics are used to measure the overall security of the system, and can be either pre-defined, customized, or a combination of both.
- Example metric definitions are the number of vulnerabilities detected on a system, the number of remediations applied to assets in the system, the number of times assets in the system have been hacked, the number of times spam e-mails have been received by assets in the system, and combinations of these, for example, the number of vulnerabilities detected on a system minus the number of remediations applied to assets in the system.
- the security metrics can be hierarchical.
- a security metric as defined by its corresponding definition, can take into account security information data to generate a metric score or value (e.g., the percentage of detected spam emails for every 1,000 e-mails).
- a security metric can also take into account scores for other security metrics to generate a metric score or value (e.g., an e-mail security health metric can take into account security metrics related to spam, phishing, and infected e-mail attachments).
- Each security metric is a measurement that describes the state of some facet of security.
- a security metric taken independently and in the absence of a hierarchal relation to other security metrics, often does not convey an overall security state. Accordingly, combining security metrics (either to generate a new combined metric value, or to visualize in combination) often convey more readily the actual security posture of an overall system.
- phishing email levels grow past a certain threshold, then host intrusion detections also go up, firewall blocking rate increases, as do attacks on financial web services.
- the analysis of various metrics results in the identification of a positive or negative correlation of the certain metrics. While correlation does not necessarily equate to causation, presentation of the metrics that are correlated can help security administrators understand the overall behavior of the security system, and help guide administers when determining where to allocate investigative and remedial resources.
- the metric definitions include metadata about a metric it defines and instructions that cause a processing device to calculate a metric value (score) that measures the metric.
- the metric definition can be specified in various ways.
- the metric definitions are executable program code that access the security information data 202 using an Application Programming Interface (API) provided by the metric system 102 .
- API Application Programming Interface
- the API specifies commands that the metric definition programs can invoke.
- different API commands are accessible to metric definitions received from different metric data sources.
- the metric system 102 can assign a level of trust to each of the metric data sources 208 , and only allow metric definitions from metric data sources 208 having a level of trust above a threshold to access particular API commands.
- the metric definitions are specified in a script that can be executed by the metric system 102 .
- the script is specified by a user.
- a user enters desired values and operations into a web browser, which automatically generates the script based on the user input.
- the metric definitions are defined using XML or an XML-like language with pre-defined operands and data sources. In some implementations, the metric definitions are specified using XML transforms.
- the scripts, schemas, and other constructs for defining metric definitions take into account the security information data 202 available.
- the security information data 202 can be defined to conform to a schema or standard (e.g., certain fields and values for representing risks, attacks, exploits, and their corresponding types), and, using the common scheme or standard, users can generate the corresponding metric definitions.
- the system authenticates the metric definition sources 208 before receiving metric definitions from the metric definition sources, for example, much as the system authenticates security information data sources 206 before receiving security information data 202 .
- the system uses combinations of conventional validation and authentication and access control techniques to validate and verify metric definitions before using them. This helps protect the metric system 102 from malicious instructions that could be embedded in metric definitions.
- a metric definition source can be a security service provider that provides pre-defined metric definitions.
- the system 102 is initially aware of which metrics correlated with other metrics based on previously performed observation (e.g., based on analysis by the security provider) or prior knowledge of the definition.
- the security provider provides definitions as content and releases the metric definitions to customers by a metric stream, e.g., a service through which a customer periodically receives predefined definitions and updates to the predefined definitions periodically.
- the system 102 can report key performance indicators to the metric definition data source, e.g., a security provider.
- the security provider can, for example, aggregate the key performance indicator across industries and verticals, and provide the aggregated data to entity customers that use the system 102 .
- entity customers can the compare its system performance against industry performance.
- the industry data collected from customers is anonymized to insure that no identifying information is provided with the data that can be tracked back to an individual customer.
- the metric system 102 can help users, such as system administrators, understand the security of their system, identify the best security metrics for their system, and understand relationships between the security metrics in various ways. For example, the metric system 102 can identify candidate key performance indicators or can present visual representations of relationships between security metrics.
- FIG. 3 is a flow diagram of an example process 300 for selecting candidate key performance indicators from metric definitions.
- the process can be implemented by a system of one or more computers, for example, by the metric system 102 .
- the process 300 receives security information data ( 302 ), for example, as described above with reference to FIG. 2 .
- the process calculates, for each metric definition, scores for the system over a period of time ( 306 ).
- the process calculates the score for a metric definition at a given time by applying the metric definition to security signals in the security information data from the given time. For example, if the metric definition is represented by executable code, the process executes the code. If the metric definition is represented by a script, the process executes the script. If the metric definition is represented using an XML file, the process interprets the XML file.
- the process compares the scores for each metric over the period of time to identify one or more relationships between the metric definitions ( 308 ).
- the relationships between the metric definitions are determined by determining correlations between two or more security metrics.
- the correlations can be positive or negative correlations.
- other functions can be used to determine the relationships between security metrics corresponding to the metric definitions over time. For example, user-specified functions, received for example, through a user interface, can be used.
- the system 102 performs phase-aware correlations in which metrics are time shifted and correlation measurements are calculated for each time shift.
- the phase-aware correlation can detect metrics that appear uncorrelated with respect to a same time reference, but are, in fact, correlated when one of the metrics is time shifted with respect to the other.
- the system 102 can also take into account metric dependencies to detect false-positive correlations. For example, two metrics may be combined to define a combined metric that is explicitly dependent on the two metrics, i.e., the combined metric is explicitly defined by a function of the two metrics.
- the system 102 accounts for the metric dependencies so that false positive and false negatives are detected or avoided (e.g., a combined metric is not compared to its dependent metrics, for example).
- a metric definition that may be a key performance indicator is positively or negatively correlated to one or more other metric definitions, but is not explicitly dependent on the one or more other metric definitions with which it is positively or negatively correlated.
- the process selects metric definitions that are candidates to be key performance indicators ( 310 ).
- a key performance indicator is a metric definition that represents the security of the network system as a whole, or are indicative of representing an important state of an environment.
- a key performance indicator is a metric (or set of metrics) that exhibit a strong positive or negative correlation.
- the process 300 can identify metric definitions that are strongly correlated with many other metric definitions.
- the process 300 can also identify metric definitions that are used by other companies in the same industry as the company whose asset system is being monitored, or metric definitions that are strongly related to metric definitions that are used by other companies in the same industry.
- the process 300 receives data from a user that specifies particular security metrics that are of interest to the user.
- the process 300 identifies candidate key performance indicators by identifying security metrics that are strongly related to the security metrics specified by the user. For example, the process 300 can identify security metrics that are strongly correlated with the security metrics specified by the user, or that are strongly correlated but tend to change before the security metrics specified by the user. For example, if the user specifies security metric A, and security metric B always changes a day before security metric A changes, the process could identify security metric B as a candidate key performance indicator.
- the system presents the candidate key performance indicators to a user.
- the process can present a name of each candidate key performance indicator along with values of the candidate key performance indicator over time.
- the process presents a graphical representation of the values of the candidate key performance indicators over time.
- the system can optionally present graphical representations of the values of other security metrics, for example, other security metrics correlated with the key performance indicator, alongside the graphical representation of the value of the key performance indicator over time.
- the process 300 can receive user input selecting one or more of the selected metric definitions as the key performance indicators for the asset system. Alternatively, or in addition, the process 300 can receive user input selecting two or more of the candidate key performance indicators and requesting that a definition of a security metric resulting from a combination of the candidate key performance indicators be used as a key performance indicator.
- a security administration would see that the phishing e-mail levels, host intrusion detections, and firewall blocking rates are candidate key performance indicators.
- the administrator examines the metrics and underlying security information data in more detail, and determines that the key performance indicator is indeed the phasing e-mail level metric. He or she then selects this metric as a key performance indictor for finance services attacks.
- the metric system 102 can continue to monitor the specified key performance indicators and present their values to the user when requested by the user.
- the user specifies particular thresholds for the different key performance indicators, and the metric system 102 issues alerts to the user if the value of a key performance indicator rises above, or falls below, the specified threshold for the key performance indicator.
- FIG. 4 is a flow diagram of an example process 400 for identifying and presenting relationships between security metrics to users.
- the process 400 can be implemented by a system of one or more computers, for example, by the metric system 102 .
- the process 400 presents information about relationships between security metrics to users, instead of automatically identifying candidate key performance indicators, like the process 300 does.
- the process receives security information data and metric definitions ( 402 ), for example, as described above with reference to FIGS. 2 and 3 .
- the process calculates, for each metric definition, scores for the metric definition over a period of time ( 404 ), for example, as described above with reference to FIG. 3 .
- the process compares the scores for the metric definitions over the period of time to identify one or more relationships between the metric definitions ( 406 ), for example, as described above with reference to FIG. 3 .
- the system compares all of the metric definitions to each other in order to identify the one or more relationships.
- the system compares only metric definitions specified by a user. For example, the system could have twenty metric definitions, but if a user specified that he or she was only interested in the relationships between three particular metric definitions, the system would only compare the three metric definitions.
- the process presents one or more of the identified relationships to a user ( 408 ). For example, if the system has identified a relationship between two security metrics, the system can present graphical representations of the values of the security metrics over time, and optionally include details regarding the relationship. An example detail of a relationship between two security metrics is a r-squared value for the correlation between two security metrics. Example graphical presentations are described in more detail below in Section 4.0.
- the metric system 102 can present the results of its analysis through various graphical user interfaces.
- FIG. 5A is an example graphical user interface 500 presenting three candidate key performance indicators (Metric A125, Metric ZQ24, and Metric R154).
- the user interface presents a graph with lines 502 corresponding to the values of each of the candidate key performance indicators over time. Users can select one or more of the candidate key performance indicators from the user interface, e.g., by selecting the name of the desired key performance indicators in the box 504 .
- FIG. 5B is an example graphical user interface 550 presenting candidate key performance indicator Metric A125 along with three related security metrics (Metric BR45, Metric QR25, and Metric XZS5). Each security metric is presented as a line 552 corresponding to the values of each of the security metrics over time. Users can use the graph presented in the user interface 550 to understand how the candidate key performance indicator (Metric A125) is related to other security metrics.
- FIG. 5B is an example graphical user interface 550 presenting candidate key performance indicator Metric A125 along with three related security metrics (Metric BR45, Metric QR25, and Metric XZS5). Each security metric is presented as a line 552 corresponding to the values of each of the security metrics over time. Users can use the graph presented in the user interface 550 to understand how the candidate key performance indicator (Metric A125) is related to other security metrics.
- FIG. 5C is an example graphical user interface 560 presenting a key performance indicator Metric Q22 with baseline and goal reference points.
- the security metric is presented as a line 562 a corresponding to the value of the security metric over time.
- Baseline and goal references are presented as lines 562 b and 562 c , respectively.
- the baseline is the starting point for the metric, e.g., when the metric was first measured or when the baseline has been reset.
- the goal is the target that the user is trying to achieve with the metric.
- FIG. 5D is an example graphical user interface 570 presenting a key performance indicator Metric Q29 relative to an industry standard.
- the metric Q29 is represented as a line 572 a corresponding to the value of the security metric over time, and the aggregated industry standard over the same time is represented as a line 572 b .
- the system 102 can determine a performance rating relative to an industry.
- the metric Q22 corresponds to virus infections. Note that the aggregate industry metric experienced a large increases for a certain period (e.g., as the result of a new virus), but the customer entity did not experience an abnormal number of infections. Furthermore, the customer entity has a much lower infection rate overall than compared to the industry. Accordingly, the customer entity has a rating of “Excellent” with respect to a virus infection rate.
- FIG. 6 is an example graphical user interface 600 presenting two security metrics (Metric BZ52 and Metric WT98) and details on the relationship between the two security metrics.
- the user interface presents a graph with lines 602 corresponding to the values of each of the security metrics over time.
- the user interface also presents details on the relationship between the two security metrics.
- the relationship is a correlation, so the r-squared value 604 for the correlation is shown.
- the presentation is a threat timeline presentation that illustrates how long the threat has been known, how long the remediation has been available, and how assets have had particular classifications. For example, if a threat was discovered at day zero, a patch was available at day five, an asset was categorized as patch urgently at day ten, remediations were applied to the asset and the asset was downgraded to patch later at day fifteen, the timeline could indicate each of those points in time.
- the timeline aggregates data for multiple assets, for example, to give system administrators an overview of how long it takes to fix known threats to the system.
- Embodiments of the subject matter and the functional operations described in this specification can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them.
- Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions encoded on a computer storage medium for execution by, or to control the operation of, data processing apparatus.
- the program instructions can be encoded on a propagated signal that is an artificially generated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus.
- the computer storage medium can be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
- data processing apparatus encompasses all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers.
- the apparatus can include special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- the apparatus can also include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
- a computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
- a computer program may, but need not, correspond to a file in a file system.
- a program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
- a computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
- the processes and logic flows described in this specification can be performed by one or more programmable processors executing one or more computer programs to perform functions by operating on input data and generating output.
- the processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
- a processor will receive instructions and data from a read-only memory or a random access memory or both.
- the essential elements of a computer are a processor for performing or executing instructions and one or more memory devices for storing instructions and data.
- a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
- mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
- a computer need not have such devices.
- a computer can be embedded in another device.
- Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
- semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
- magnetic disks e.g., internal hard disks or removable disks
- magneto-optical disks e.g., CD-ROM and DVD-ROM disks.
- the processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
- a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer.
- a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
- keyboard and a pointing device e.g., a mouse or a trackball
- Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
- a computer can interact with a user by sending documents to and receiving documents from a device that is used by the user; for example, by sending web pages to a
- Embodiments of the subject matter described in this specification can be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification, or any combination of one or more such back-end, middleware, or front-end components.
- the components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet.
- LAN local area network
- WAN wide area network
- the computing system can include clients and servers.
- a client and server are generally remote from each other and typically interact through a communication network.
- the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
Abstract
Description
Claims (21)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/078,440 US8806645B2 (en) | 2011-04-01 | 2011-04-01 | Identifying relationships between security metrics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/078,440 US8806645B2 (en) | 2011-04-01 | 2011-04-01 | Identifying relationships between security metrics |
Publications (2)
Publication Number | Publication Date |
---|---|
US20130247203A1 US20130247203A1 (en) | 2013-09-19 |
US8806645B2 true US8806645B2 (en) | 2014-08-12 |
Family
ID=49158981
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/078,440 Active 2032-03-19 US8806645B2 (en) | 2011-04-01 | 2011-04-01 | Identifying relationships between security metrics |
Country Status (1)
Country | Link |
---|---|
US (1) | US8806645B2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104268165A (en) * | 2014-09-09 | 2015-01-07 | 华为技术有限公司 | Online query method and equipment |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9280669B2 (en) * | 2012-05-11 | 2016-03-08 | Infosys Limited | Systems, methods and computer readable media for calculating a security index of an application hosted in a cloud environment |
US9141791B2 (en) * | 2012-11-19 | 2015-09-22 | Hewlett-Packard Development Company, L.P. | Monitoring for anomalies in a computing environment |
US20140259168A1 (en) * | 2013-03-11 | 2014-09-11 | Alcatel-Lucent Usa Inc. | Malware identification using a hybrid host and network based approach |
CN105721407A (en) * | 2014-12-05 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Method and device for business system security evaluation |
CN104601567B (en) * | 2015-01-12 | 2018-03-20 | 国家电网公司 | A kind of indexing security measure method excavated based on information network security of power system event |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5987610A (en) | 1998-02-12 | 1999-11-16 | Ameritech Corporation | Computer virus screening methods and systems |
US6073142A (en) | 1997-06-23 | 2000-06-06 | Park City Group | Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments |
US6460050B1 (en) | 1999-12-22 | 2002-10-01 | Mark Raymond Pace | Distributed content identification system |
US6742128B1 (en) * | 2002-08-28 | 2004-05-25 | Networks Associates Technology | Threat assessment orchestrator system and method |
US20060010164A1 (en) * | 2004-07-09 | 2006-01-12 | Microsoft Corporation | Centralized KPI framework systems and methods |
US20060242706A1 (en) * | 2005-03-11 | 2006-10-26 | Ross Robert B | Methods and systems for evaluating and generating anomaly detectors |
US20090064025A1 (en) * | 2007-08-29 | 2009-03-05 | Thomas Christ | KPI Builder |
US7506155B1 (en) | 2000-06-22 | 2009-03-17 | Gatekeeper Llc | E-mail virus protection system and method |
US7519860B2 (en) * | 2000-09-11 | 2009-04-14 | Nokia Corporation | System, device and method for automatic anomaly detection |
US20090281845A1 (en) * | 2008-05-06 | 2009-11-12 | International Business Machines Corporation | Method and apparatus of constructing and exploring kpi networks |
US8145456B2 (en) * | 2008-09-30 | 2012-03-27 | Hewlett-Packard Development Company, L.P. | Optimizing a prediction of resource usage of an application in a virtual environment |
US8539588B2 (en) * | 2008-03-21 | 2013-09-17 | Fujitsu Limited | Apparatus and method for selecting measure by evaluating recovery time |
-
2011
- 2011-04-01 US US13/078,440 patent/US8806645B2/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6073142A (en) | 1997-06-23 | 2000-06-06 | Park City Group | Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments |
US5987610A (en) | 1998-02-12 | 1999-11-16 | Ameritech Corporation | Computer virus screening methods and systems |
US6460050B1 (en) | 1999-12-22 | 2002-10-01 | Mark Raymond Pace | Distributed content identification system |
US7506155B1 (en) | 2000-06-22 | 2009-03-17 | Gatekeeper Llc | E-mail virus protection system and method |
US7519860B2 (en) * | 2000-09-11 | 2009-04-14 | Nokia Corporation | System, device and method for automatic anomaly detection |
US6742128B1 (en) * | 2002-08-28 | 2004-05-25 | Networks Associates Technology | Threat assessment orchestrator system and method |
US20060010164A1 (en) * | 2004-07-09 | 2006-01-12 | Microsoft Corporation | Centralized KPI framework systems and methods |
US20060242706A1 (en) * | 2005-03-11 | 2006-10-26 | Ross Robert B | Methods and systems for evaluating and generating anomaly detectors |
US20090064025A1 (en) * | 2007-08-29 | 2009-03-05 | Thomas Christ | KPI Builder |
US8539588B2 (en) * | 2008-03-21 | 2013-09-17 | Fujitsu Limited | Apparatus and method for selecting measure by evaluating recovery time |
US20090281845A1 (en) * | 2008-05-06 | 2009-11-12 | International Business Machines Corporation | Method and apparatus of constructing and exploring kpi networks |
US8145456B2 (en) * | 2008-09-30 | 2012-03-27 | Hewlett-Packard Development Company, L.P. | Optimizing a prediction of resource usage of an application in a virtual environment |
Non-Patent Citations (1)
Title |
---|
Directions in Security Metrics Research Wayne Jansen Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 Apr. 2009. * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104268165A (en) * | 2014-09-09 | 2015-01-07 | 华为技术有限公司 | Online query method and equipment |
CN104268165B (en) * | 2014-09-09 | 2017-12-29 | 华为技术有限公司 | A kind of online query method and apparatus |
Also Published As
Publication number | Publication date |
---|---|
US20130247203A1 (en) | 2013-09-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11647039B2 (en) | User and entity behavioral analysis with network topology enhancement | |
US11277432B2 (en) | Generating attack graphs in agile security platforms | |
US9888024B2 (en) | Detection of security incidents with low confidence security events | |
US8595845B2 (en) | Calculating quantitative asset risk | |
US20200322372A1 (en) | Automated asset criticality assessment | |
US10412111B2 (en) | System and method for determining network security threats | |
US8402546B2 (en) | Estimating and visualizing security risk in information technology systems | |
US20130247205A1 (en) | Calculating quantitative asset risk | |
US20220377093A1 (en) | System and method for data compliance and prevention with threat detection and response | |
US8572750B2 (en) | Web application exploit mitigation in an information technology environment | |
US8495747B1 (en) | Prioritizing asset remediations | |
US11757920B2 (en) | User and entity behavioral analysis with network topology enhancements | |
US8595282B2 (en) | Simplified communication of a reputation score for an entity | |
Ahmed et al. | Securing business processes using security risk-oriented patterns | |
US8806645B2 (en) | Identifying relationships between security metrics | |
US11449609B2 (en) | Detecting obfuscated malware variants | |
US11706248B2 (en) | Aggregation and flow propagation of elements of cyber-risk in an enterprise | |
US20230412620A1 (en) | System and methods for cybersecurity analysis using ueba and network topology data and trigger - based network remediation | |
Bensoussan et al. | Managing information system security under continuous and abrupt deterioration | |
Friedberg et al. | Cyber situational awareness through network anomaly detection: state of the art and new approaches. | |
KR101081875B1 (en) | Prealarm system and method for danger of information system | |
KR101940512B1 (en) | Apparatus for analyzing the attack feature DNA and method thereof | |
Motlhabi et al. | Context-aware cyber threat intelligence exchange platform | |
Herwono et al. | A Collaborative Tool for Modelling Multi-stage Attacks. | |
US20230336591A1 (en) | Centralized management of policies for network-accessible devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MCAFEE, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NAKAWATASE, RYAN;RITTER, STEPHEN;SCHRECKER, SVEN;SIGNING DATES FROM 20110228 TO 20110330;REEL/FRAME:026369/0456 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: MCAFEE, LLC, CALIFORNIA Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918 Effective date: 20161220 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786 Effective date: 20170929 Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676 Effective date: 20170929 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551) Year of fee payment: 4 |
|
AS | Assignment |
Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593 Effective date: 20170929 Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047 Effective date: 20170929 |
|
AS | Assignment |
Owner name: MCAFEE, LLC, CALIFORNIA Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001 Effective date: 20201026 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
AS | Assignment |
Owner name: MCAFEE, LLC, CALIFORNIA Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213 Effective date: 20220301 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:059354/0335 Effective date: 20220301 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT, NEW YORK Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:060792/0307 Effective date: 20220301 |